{ "id": "364c7d43-0499-4769-96da-2450bbde0e66", "created_at": "2026-04-06T00:10:36.80465Z", "updated_at": "2026-04-10T03:25:23.326017Z", "deleted_at": null, "sha1_hash": "1a7c45b5542852ce93f7da02a8418974817a2038", "title": "Cyber Espionage APT group using Hacking Team’s 0-day Exploit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 951686, "plain_text": "Cyber Espionage APT group using Hacking Team’s 0-day Exploit\r\nBy Deepen Desai\r\nPublished: 2015-08-14 · Archived: 2026-04-05 19:35:12 UTC\r\nIntroduction\r\nAs predicted following the leak of Hacking Team exploit codes covered here, the Zscaler security research team\r\nhas recently started seeing a Chinese cyber espionage group weaponizing malware payloads using the 0-day\r\nexploits found in the leaked Hacking Team archives. As such, this new attack represents a dangerous new hybrid\r\ncombining the work of a notorious cyber criminal gang with Chinese cyber espionage group to attack a financial\r\nservices firm. \r\nZscaler's cloud sandboxes recently detected a Remote Access Trojan (RAT) being delivered by a well-known\r\nChinese cyber espionage group using the Hacking Team’s 0-day exploits. This attack was specifically targeting a\r\nwell-known financial services firm. The exploit files involved were identical to the Hacking Team's leaked exploit\r\nHTML, JavaScript, and ShockWave Flash 0-day files. The end payload that was installed is the HttpBrowser RAT,\r\nknown to be used by the Chinese group in previous targeted attacks against governments.\r\nFigure 1: Chinese APT attack cycle to plant HttpBrowser RAT\r\nHacking Team Exploits\r\nThe attack involved targeted users visiting a malicious URL delivered via a spear phishing attack. The malicious\r\nURL points to a remote server located in Hong Kong (IP Address - 210.209.89.162) that downloads and executes\r\na malicious ShockWave Flash payload through a specially crafted HTML \u0026 JavaScript. The exploit files involved\r\nare identical to the ones that we found during our analysis of the Hacking Team leaked code as seen below:\r\nhttps://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\r\nPage 1 of 7\n\nFigure 2: Resemblance with Hacking Team's exploit HTML\r\n \r\nFigure 3: Resemblance with Hacking Team's SWF exploit\r\nThe Adobe ShockWave exploit (CVE-2015-5119) if successful will download and install a variant of the\r\nHttpBrowser RAT from the same Hong Kong based server which eventually also serves as the Command \u0026\r\nControl (C\u0026C) server.\r\nhttps://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\r\nPage 2 of 7\n\nFigure 4: Hong Kong based server used in the attack [credit: domaintools.com]\r\nMalware Payload - HttpBrowser RAT\r\nHttpBrowser is a RAT that has become extremely popular in past two years among the APT adversaries, leveraged\r\nin various targeted attacks. The RAT has been leveraged as the primary payload by the APT group that is also\r\nknown to install the nasty Backdoor PlugX RAT during lateral movement in the victim environment after\r\ncompromise.\r\nThe HttpBrowser payload used for the attack was compiled just few days before the attack as seen below:\r\nFigure 5: HttpBrowser payload compilation time\r\nThe HttpBrowser installer archive structure is very similar to that observed in previous PlugX attacks. The\r\ninstaller archive in our case was svchost.exe (saved as xox.exe) that consisted of the following three files:\r\nVPDN_LU.exe - A legitimate digitally signed Symantec Antivirus executable to evade detection\r\nhttps://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\r\nPage 3 of 7\n\nFigure 6: Legitimate Symantec Antivirus executable used in the attack \r\nnavlu.dll - A fake Symantec DLL to decrypt and run the HttpBrowser RAT\r\nnavlu.dll.url - Encrypted HttpBrowser RAT payload\r\nThe HttpBrowser RAT installer is responsible for dropping the above three files and running the legitimate\r\nSymantec Antivirus binary VPDN_LU.exe. The legitimate binary contains the navlu.dll in the import table\r\nensuring that the DLL will be loaded before it runs. The navlu.dll that gets loaded in this case will be the fake\r\nSymantec DLL file present in the same directory and it will patch the entry point of the main executable file with a\r\njump instruction to run the DLL’s code instead. \r\nFigure 7: Legitimate executable entry point patched\r\nThis technique is also known as DLL Hijacking which ensures that the fake Symantec DLL gets loaded by\r\nabusing the Windows DLL load order. The DLL’s code is responsible for decrypting and running the HttpBrowser\r\nhttps://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\r\nPage 4 of 7\n\nRAT payload from the navlu.dll.url file in the same memory space of the benign executable. The decryption\r\nroutine consist of an incremental XOR as seen below:\r\nFigure 8: Incremental XOR routine to decrypt RAT payload\r\nThe HttpBrowser installer structure ensures that the malware evades detection by running in the context of the\r\nlegitimate signed binary. This also ensures that the malicious DLL will not run by itself in automated analysis\r\nenvironments.\r\nThe malware then deletes the original installer file and moves the dropped files to the following location:\r\n%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe\r\n%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\navlu.dll\r\n%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\navlu.dll.dll\r\nThe malware also creates the following registry entry to ensure persistence:\r\nHKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn\r\n“%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe”\r\nCommand \u0026 Control communication\r\nThe HttpBrowser RAT variant was configured to connect to the following Command \u0026 Control server upon\r\nsuccessful infection:\r\nupdate.hancominc[.]com:8080\r\nIt relays the following information of the victim machine in an encrypted format over SSL:\r\n/loop?c=\u0026l=\u0026o=\u0026u=\u0026r=\u0026t=\r\nThe commands supported by this RAT variant are:\r\nCommand Description\r\nhttps://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\r\nPage 5 of 7\n\ninit start reverse shell and send list of drives on infected system.\r\nsetcmd change the default (cmd.exe) shell\r\nsettime Set sleep time\r\nuninstall uninstall itself\r\nwrite write command to shell\r\nlist Send list of files and folders to C\u0026C\r\nupload Download file from C\u0026C\r\ndown Upload file to C\u0026C\r\nHere are some sample decrypted C\u0026C transactions from the HttpBrowser RAT:\r\nFigure 9: List of drives sent as part of the init command\r\n \r\nhttps://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\r\nPage 6 of 7\n\nFigure 10: List of files sent as part of the list command\r\nConclusion\r\nHttpBrowser RAT, due to the range of features including SSL based C\u0026C channel, anti-detection \u0026 anti-analysis\r\ntechniques, remains the popular malware of choice for APT attacks. There have been multiple instances where this\r\nRAT co-existed with PlugX RAT on the compromised network indicating an APT adversary group with a set\r\nattack tool arsenal. The network infrastructure leveraged in this attack against the financial services firm shows\r\ninvolvement of a previously known Cyber espionage APT group of Chinese origin. The main motive of this group\r\nis to monitor and exfiltrate intellectual property data from the target organization.\r\nZscaler’s ThreatLabZ has confirmed coverage for these exploits and for the HttpBrowser variant, ensuring\r\nprotection for organizations using Zscaler’s Internet security platform.\r\nResearch by: Abhay Yadav, Avinash Kumar, Nirmal Singh, Deepen Desai\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-fi\r\nnancial-services-firm\r\nhttps://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm" ], "report_names": [ "chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434236, "ts_updated_at": 1775791523, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a7c45b5542852ce93f7da02a8418974817a2038.pdf", "text": "https://archive.orkl.eu/1a7c45b5542852ce93f7da02a8418974817a2038.txt", "img": "https://archive.orkl.eu/1a7c45b5542852ce93f7da02a8418974817a2038.jpg" } }